package com.lenovo.lcdm.dcm.config.login;

import org.springframework.beans.factory.annotation.Value;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.http.HttpHeaders;
import org.springframework.security.config.annotation.method.configuration.EnableReactiveMethodSecurity;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.config.annotation.web.configurers.AbstractHttpConfigurer;
import org.springframework.security.oauth2.jwt.JwtDecoder;
import org.springframework.security.oauth2.jwt.NimbusJwtDecoder;
import org.springframework.security.oauth2.server.resource.web.BearerTokenResolver;
import org.springframework.security.oauth2.server.resource.web.DefaultBearerTokenResolver;
import org.springframework.security.web.SecurityFilterChain;
import org.springframework.security.web.util.matcher.AntPathRequestMatcher;

import static org.springframework.security.config.Customizer.withDefaults;


@Configuration
@EnableWebSecurity
@EnableReactiveMethodSecurity
public class securityConfig {


    @Value("${spring.security.oauth2.resourceserver.jwt.jwk-set-uri}")
    private String jwkSetUri;

    @Value("${lcdm.jwt.interceptor.exclude}")
    private String[] permits;

    @Bean
    public SecurityFilterChain defaultSecurityFilterChain(HttpSecurity http) throws Exception {
        return http
                .authorizeHttpRequests((authorize) -> {
                            for (String permitUrl : permits) {
                                authorize.requestMatchers(new AntPathRequestMatcher(permitUrl)).permitAll();
                            }
                            authorize.anyRequest().authenticated();
                        }
                )
//                .oauth2Client(httpSecurityOAuth2ClientConfigurer -> {
//                    httpSecurityOAuth2ClientConfigurer.authorizationCodeGrant(authorizationCodeGrantConfigurer -> {
//                        authorizationCodeGrantConfigurer.authorizationRedirectStrategy(customAuthorizationRedirectStrategy);
//                    });
//                })
                .csrf(AbstractHttpConfigurer::disable)
                .oauth2Login(withDefaults())
//                .logout(logout -> {
//                    logout.logoutSuccessHandler(clientLogoutSuccessHandler);
//                })
//                .csrf(AbstractHttpConfigurer::disable)
                .oauth2ResourceServer(oauth2ResourceServer -> {
                    oauth2ResourceServer.accessDeniedHandler(new CustomAccessDeniedHandler());
                    oauth2ResourceServer.authenticationEntryPoint(new CustomAuthenticationEntryPoint());
                    oauth2ResourceServer.jwt(jwt -> {
                    });
                }).build();
    }

    @Bean
    BearerTokenResolver bearerTokenResolver() {
        DefaultBearerTokenResolver bearerTokenResolver = new DefaultBearerTokenResolver();
        bearerTokenResolver.setBearerTokenHeaderName(HttpHeaders.AUTHORIZATION + "-JWT");
        return bearerTokenResolver;
    }

    @Bean
    JwtDecoder jwtDecoder() {
        return NimbusJwtDecoder.withJwkSetUri(jwkSetUri).build();
    }

}
